[nanbield,7/7] cve-check: don't warn if a patch is remote

Message ID	20231103132811.2074247-7-ross.burton@arm.com
State	New, archived
Headers	show Return-Path: <ross.burton@arm.com> ip: 217.140.110.172, mailfrom: ross.burton@arm.com) From: ross.burton@arm.com To: openembedded-core@lists.openembedded.org Cc: nd@arm.com Subject: [PATCH][nanbield 7/7] cve-check: don't warn if a patch is remote Date: Fri, 3 Nov 2023 13:28:11 +0000 Message-Id: <20231103132811.2074247-7-ross.burton@arm.com> In-Reply-To: <20231103132811.2074247-1-ross.burton@arm.com> References: <20231103132811.2074247-1-ross.burton@arm.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable
Series	[nanbield,1/7] linux-yocto: update CVE exclusions \| expand [nanbield,1/7] linux-yocto: update CVE exclusions [nanbield,2/7] libxml2: ignore disputed CVE-2023-45322 [nanbield,3/7] zlib: ignore CVE-2023-45853 [nanbield,4/7] pixman: ignore CVE-2023-37769 [nanbield,5/7] cve-check: sort the package list in the JSON report [nanbield,6/7] cve-check: slightly more verbose warning when adding the same package twice [nanbield,7/7] cve-check: don't warn if a patch is remote

Message ID

20231103132811.2074247-7-ross.burton@arm.com

State

New, archived

Headers

From: ross.burton@arm.com
To: openembedded-core@lists.openembedded.org
Cc: nd@arm.com
Subject: [PATCH][nanbield 7/7] cve-check: don't warn if a patch is remote
Date: Fri,  3 Nov 2023 13:28:11 +0000
Message-Id: <20231103132811.2074247-7-ross.burton@arm.com>
In-Reply-To: <20231103132811.2074247-1-ross.burton@arm.com>
References: <20231103132811.2074247-1-ross.burton@arm.com>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

Series

[nanbield,1/7] linux-yocto: update CVE exclusions | expand

Commit Message

Ross Burton Nov. 3, 2023, 1:28 p.m. UTC

From: Ross Burton <ross.burton@arm.com>

We don't make do_cve_check depend on do_unpack because that would be a
waste of time 99% of the time.  The compromise here is that we can't
scan remote patches for issues, but this isn't a problem so downgrade
the warning to a note.

Also move the check for CVEs in the filename before the local file check
so that even with remote patches, we still check for CVE references in
the name.

Signed-off-by: Ross Burton <ross.burton@arm.com>
---
 meta/lib/oe/cve_check.py | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/meta/lib/oe/cve_check.py b/meta/lib/oe/cve_check.py
index c0ab22d25ea..3fa77bf9a71 100644
--- a/meta/lib/oe/cve_check.py
+++ b/meta/lib/oe/cve_check.py
@@ -95,11 +95,6 @@  def get_patched_cves(d):
     for url in oe.patch.src_patches(d):
         patch_file = bb.fetch.decodeurl(url)[2]
 
-        # Remote compressed patches may not be unpacked, so silently ignore them
-        if not os.path.isfile(patch_file):
-            bb.warn("%s does not exist, cannot extract CVE list" % patch_file)
-            continue
-
         # Check patch file name for CVE ID
         fname_match = cve_file_name_match.search(patch_file)
         if fname_match:
@@ -107,6 +102,12 @@  def get_patched_cves(d):
             patched_cves.add(cve)
             bb.debug(2, "Found CVE %s from patch file name %s" % (cve, patch_file))
 
+        # Remote patches won't be present and compressed patches won't be
+        # unpacked, so say we're not scanning them
+        if not os.path.isfile(patch_file):
+            bb.note("%s is remote or compressed, not scanning content" % patch_file)
+            continue
+
         with open(patch_file, "r", encoding="utf-8") as f:
             try:
                 patch_text = f.read()

[nanbield,7/7] cve-check: don't warn if a patch is remote

Commit Message

Patch